home

phrfhsgvrk.exe

Ge-Force

Webar

The application phrfhsgvrk.exe, “Ge-Force Installer” has been detected as adware by 17 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer, however the file is not signed with an authenticode signature from a trusted source. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
Webar

Product:
Ge-Force

Description:
Ge-Force Installer

Version:
1.36.01.22

MD5:
fe6b9a830f10f021d1c2f6a4e06c1b34

SHA-1:
98ded2d99840480cf59ee2c75712757c34ddb263

SHA-256:
3809b90f9e768b2f449b20dd173213ff7e98c47b15320c80c33f348d30c5e2da

Scanner detections:
17 / 68

Status:
Adware

Explanation:
This is part of the Crossrider Internet browser extension framework which may modify the user's web browser settings including changing the home and search pages.

Note:
Crossrider is the owner of a platform that enables the creation of cross-browser extensions by developers but is not the owner of this detected application.

Analysis date:
11/28/2024 9:51:05 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Parj.1
591

AhnLab V3 Security
PUP/Win32.CrossRider
2015.06.17

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

avast!
NSIS:Crossrider-EV [PUP]
2014.9-150623

Dr.Web
Trojan.Crossrider.46916
9.0.1.0174

ESET NOD32
Win32/Toolbar.CrossRider.CM potentially unwanted (variant)
9.11795

G Data
Script.Application.Plush
15.6.25

Malwarebytes
PUP.Optional.GeForce.A
v2015.06.23.10

MicroWorld eScan
Gen:Application.Parj.1
16.0.0.522

Panda Antivirus
Trj/Genetic.gen
15.06.23.10

Quick Heal
JS.Adware.CrossRider.A
6.15.14.00

Reason Heuristics
PUP.Downloader.Webar.Installer (M)
15.6.23.22

Rising Antivirus
PE:Malware.Adload!6.1D9D
23.00.65.15621

Trend Micro House Call
ADW_CROSSRIDER
7.2.174

Trend Micro
ADW_CROSSRIDER
10.465.23

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

Zillya! Antivirus
Trojan.BlackGen.Win32.11
2.0.0.2227

File size:
9.7 MB (10,221,791 bytes)

Copyright:
Copyright Webar

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\phrfhsgvrk.exe

File PE Metadata
Compilation timestamp:
12/4/2012 8:55:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:QP7H161CaY31jjWwyphOIKzJwf5B+6nH+7slz81pl/IYmwu59c0PuymCamLKaAK:QzHk231jjlO5BjH+7sk0h6PmLKaR

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.11.98:80)

TCP (HTTP):
Connects to ec2-23-23-138-248.compute-1.amazonaws.com  (23.23.138.248:80)

Remove phrfhsgvrk.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.